In September 2024, researchers disclosed CVE-2024-47176 — a CVSS 9.9 remote code execution vulnerability in CUPS, the Unix printing system. Hundreds of thousands of Linux servers were exposed. Most of their admins had never intentionally installed a print service. CUPS was just there, listening on UDP port 631, because the distro put it there.
TL;DR
- Every major Linux distro ships services you didn’t request — many listening on network ports
- CUPS (CVE-2024-47176, CVSS 9.9), snapd (CVE-2026-3888), avahi, rpcbind, and others are enabled by default across popular distros
- Most admins don’t know these services are running — what you don’t know, you don’t patch
- Auditing takes under five minutes; disabling unnecessary services takes under ten
- CIS Benchmarks exist for all major distros and codify exactly which services to remove
Why This Problem Is Worse Than It Looks
Every service running on a server is an attack surface. A service you didn’t install and don’t know about is an attack surface you won’t monitor, won’t patch, and won’t notice when it gets exploited.
This isn’t theoretical. The pattern repeats constantly: a critical CVE drops, incident responders investigate, and the affected service turns out to be something nobody consciously chose to run. It was a default.
This guide covers the most dangerous defaults across the six most common Linux server distros, with audit commands and hardening steps for each.
How to Audit Any System in 60 Seconds
Before diving into distro-specific details, here’s the universal audit — run this on any Linux server:
# All listening network ports and the process behind eachss -tulnp
# All enabled systemd services (starts on boot)systemctl list-unit-files --state=enabled --type=service
# Services currently runningsystemctl list-units --type=service --state=running
# Cross-reference: what's listening that you don't recognize?ss -tulnp | grep -v 'sshd\|chronyd\|systemd'Anything in that last output that you can’t immediately explain is worth investigating.
Ubuntu Server: The Busiest Default Install
Ubuntu is the most widely deployed Linux server distro — and ships with the most unrequested services of any major distribution.
snapd — The Invisible Privilege Escalation Vector
Enabled by default: Ubuntu 20.04+ (including server images)
snapd manages containerized application packages called “snaps.” On a server, you almost certainly don’t need it. It runs as root, has complex sandbox logic, and has a track record of serious vulnerabilities.
Recent CVE: CVE-2026-3888 (CVSS 7.8)
An attacker with low-privilege local access can exploit a race condition between snap-confine and systemd-tmpfiles to execute arbitrary code as root. No user interaction required.
Previous notable CVEs:
- CVE-2019-11476 / CVE-2019-11477 — multiple snap sandbox escapes
- CVE-2021-44731 — local privilege escalation via snap-confine symlink attack (CVSS 7.8)
The pattern is consistent: snap’s sandboxing complexity creates LPE (local privilege escalation) opportunities. An attacker who gets a shell via any other vulnerability — a web app RCE, a misconfigured SSH key — can use snap vulnerabilities to reach root.
# Check if snapd is runningsystemctl is-active snapd
# List installed snaps (you may be surprised)snap list
# Disable and remove if not neededsudo systemctl disable --now snapdsudo apt purge snapdsudo apt-mark hold snapd # prevent reinstallationNote: Some Ubuntu packages pull in snapd as a dependency during installation.
apt-mark hold snapdprevents it from coming back automatically.
avahi-daemon — mDNS Broadcasting on Your Server
Enabled by default: Ubuntu Desktop and Server
Avahi implements mDNS (Multicast DNS) and DNS-SD — the same technology behind Apple’s Bonjour. It broadcasts your server’s hostname and services on the local network, answering discovery queries automatically.
On a workstation, this is convenient. On a server, it’s unnecessary network chatter that reveals infrastructure details and has historically had memory corruption bugs.
sudo systemctl disable --now avahi-daemonsudo apt purge avahi-daemonCUPS — The Print Server That Shouldn’t Be on Your Server
Enabled by default: Ubuntu Desktop; sometimes pulled in on Server
CUPS (Common Unix Printing System) listens on TCP port 631 and UDP port 631. If your server doesn’t print, this serves no purpose except expanding your attack surface.
CVE-2024-47176 (CVSS 9.9) — discovered September 2024, this allows a remote unauthenticated attacker to trigger arbitrary command execution by sending a crafted UDP packet to port 631. The vulnerability chain involves cups-browsed automatically installing a malicious printer from an attacker-controlled source.
# Check if cups is listeningss -tulnp | grep 631
# Remove itsudo systemctl disable --now cups cups-browsedsudo apt purge cups cups-browsedModemManager — Mobile Broadband on a Rack Server
Enabled by default: Ubuntu Server
ModemManager manages mobile broadband modems (3G/4G USB dongles). On a physical or virtual server in a datacenter, there is no reason for this to run.
sudo systemctl disable --now ModemManagersudo apt purge modemmanagerapport — Crash Reporter with Elevated Privileges
Enabled by default: Ubuntu
apport handles crash reporting and runs with elevated privileges to collect diagnostic data from crashed processes. It has been exploited multiple times to read files outside normal user access.
CVE-2021-3899, CVE-2022-1242 — apport sandbox escape and arbitrary file read vulnerabilities. Both were default-on Ubuntu installations.
sudo systemctl disable --now apport# Or disable persistently:echo "enabled=0" | sudo tee /etc/default/apportwhoopsie — Calling Home to Canonical
Enabled by default: Ubuntu
whoopsie uploads crash reports to Canonical’s error tracking service (errors.ubuntu.com). Beyond the privacy implications of a server automatically sending crash data externally, it represents an outbound channel that security policies may prohibit.
sudo systemctl disable --now whoopsiesudo apt purge whoopsiemotd-news — Fetching Content from the Internet on Boot
Enabled by default: Ubuntu
The Ubuntu message-of-the-day system fetches “news” from Canonical’s servers every boot and on a timer. This is a timer-triggered outbound HTTP connection from your server to an external host — running as root.
sudo systemctl disable --now motd-news.timersudo chmod -x /etc/update-motd.d/* # disable all dynamic motd scriptsUbuntu: Full Audit One-Liner
for svc in snapd avahi-daemon cups cups-browsed ModemManager apport whoopsie; do status=$(systemctl is-active $svc 2>/dev/null) echo "$svc: $status"doneDebian: Leaner, But Not Clean
Debian has a reputation for being more conservative than Ubuntu. It is — but it still ships defaults worth reviewing.
avahi-daemon
Same issue as Ubuntu. Enabled by default on Debian Desktop installations and sometimes present on server installs depending on meta-packages chosen.
sudo systemctl disable --now avahi-daemonsudo apt purge avahi-daemonCUPS
Same CVE-2024-47176 applies. Debian ships CUPS and cups-browsed in many installation profiles.
sudo systemctl disable --now cups cups-browsedsudo apt purge cups cups-browsedrpcbind — The Portmapper That Opens NFS
Enabled by default: Debian when NFS-related packages are installed
rpcbind (formerly portmap) is the RPC portmapper — a service that maps RPC program numbers to network port numbers. It’s required for NFS. It listens on port 111 (TCP and UDP).
If you’re not using NFS, rpcbind serves no purpose. If you are using NFS and rpcbind is exposed to untrusted networks, you have a serious problem — NFS was designed for trusted LANs, not internet-facing infrastructure.
# Check if rpcbind is listeningss -tulnp | grep ':111'
# Disablesudo systemctl disable --now rpcbind rpcbind.socketexim4 — A Mail Server You Probably Don’t Need
Enabled by default: Debian
Debian installs exim4 as a local mail transfer agent (MTA) — a mail server — by default. It’s configured in “local delivery only” mode, but it still runs, binds to a socket, and has had serious vulnerabilities over the years.
Unless your server actually sends mail (cron notifications, application alerts), you don’t need a full MTA.
sudo systemctl disable --now exim4sudo apt purge exim4 exim4-base exim4-config# Lightweight alternative for sending-only:sudo apt install msmtpDebian: Full Audit
ss -tulnp | awk 'NR>1 {print $5, $7}' | sort -usystemctl list-units --type=service --state=running | grep -E 'avahi|cups|rpcbind|exim'RHEL / Rocky Linux / AlmaLinux: Enterprise Defaults
Red Hat-based distributions are often considered the “enterprise” choice and assumed to be more locked down. They’re more conservative than Ubuntu, but still ship several services that deserve scrutiny.
cockpit — A Web Interface Listening on Port 9090
Enabled by default: RHEL 8+, Rocky Linux, AlmaLinux
Cockpit is a web-based server management interface. It’s genuinely useful for administration — but it opens port 9090 on your server by default. Any vulnerability in Cockpit’s web interface (or misconfigured access controls) exposes a management plane to the network.
# Check if cockpit is runningsystemctl is-active cockpit
# Disable if not usedsudo systemctl disable --now cockpit cockpit.socketsudo firewall-cmd --remove-service=cockpit --permanentsudo firewall-cmd --reloadrpcbind — Same Problem as Debian
RHEL-based distros install rpcbind when NFS-related packages are present, which happens more often than you’d expect in enterprise environments.
sudo systemctl disable --now rpcbind rpcbind.socketsudo firewall-cmd --remove-service=rpc-bind --permanentpostfix — A Null-Client MTA Running by Default
Enabled by default: RHEL/Rocky/AlmaLinux
Similar to Debian’s exim4, RHEL ships postfix in a “null client” configuration. It accepts local mail for forwarding but doesn’t relay externally. It still runs, still occupies a process, and still needs patching.
sudo systemctl disable --now postfix# If you need mail forwarding, configure postfix as null-client properly# or use msmtp for simple SMTP relaykdump — Kernel Crash Dumps with Root Access
Enabled by default: RHEL/Rocky/AlmaLinux
kdump captures kernel crash dumps for debugging. It runs with elevated privileges and writes full memory dumps to disk. A full memory dump includes everything in RAM at the time of crash — encryption keys, passwords, session tokens, everything.
On a production server, those crash dumps need to be secured or kdump needs to be disabled. If a disk fill or misconfiguration makes crash dumps world-readable, you have a serious data exposure issue.
sudo systemctl disable --now kdump# CIS Benchmark recommendation: disable unless actively debugging kernel crasheschronyd — Usually Fine, But Worth Knowing
Enabled by default: All RHEL-family distros
chronyd (chrony) is the NTP client/server — it keeps system time synchronized. Unlike the others here, you generally want this running. However:
- It listens on UDP 323 for local chronyc queries
- If misconfigured as a server, it listens on UDP 123 and can be used in NTP amplification DDoS attacks
- Verify it’s configured correctly:
chronyc trackingand check/etc/chrony.conf
RHEL/Rocky/AlmaLinux: Full Audit
# Check listening portsss -tulnp
# Check specifically for these servicesfor svc in cockpit rpcbind postfix kdump; do echo -n "$svc: " systemctl is-active $svc 2>/dev/null || echo "not-found"done
# Firewall — what's allowed in?sudo firewall-cmd --list-allFedora: Cutting Edge, But Same Patterns
Fedora serves as the upstream for RHEL and ships many of the same defaults plus some of its own.
flatpak — The Desktop App Runtime
Enabled by default: Fedora Workstation (less common on Server)
Similar to snap in concept, flatpak provides sandboxed application packaging. On a server, this is almost certainly unnecessary. The attack surface concern is the same as snapd: complex sandboxing logic running with elevated privileges.
sudo systemctl disable --now flatpak-system-helpersudo dnf remove flatpak # if not neededNetworkManager — Appropriate for Desktop, Questionable for Server
Enabled by default: Fedora
NetworkManager is excellent for desktop environments where you’re switching between Wi-Fi networks. On a server with static network configuration, it adds complexity without benefit. Many admins prefer using systemd-networkd directly on servers.
# Not necessarily disable — but review if truly needed on serversystemctl status NetworkManageropenSUSE: Well-Configured, Still Worth Checking
openSUSE (both Leap and Tumbleweed) has a reputation for security-conscious defaults and uses YaST for configuration management. It’s generally cleaner than Ubuntu, but the same categories of services appear.
avahi — Present in Desktop Profiles
sudo systemctl disable --now avahi-daemonsudo zypper remove avahiCUPS
CVE-2024-47176 applies equally here.
sudo systemctl disable --now cups cups-browsedsudo zypper remove cupsSuSEfirewall2 vs firewalld
openSUSE Leap 15.4+ uses firewalld by default. Verify your firewall is active and configured:
sudo firewall-cmd --list-allsudo systemctl is-active firewalldCross-Distro Comparison
| Service | Ubuntu | Debian | RHEL/Rocky | Fedora | openSUSE |
|---|---|---|---|---|---|
| snapd | ✓ Default | ✗ | ✗ | ✗ | ✗ |
| avahi-daemon | ✓ Default | ✓ Desktop | ✗ | ✓ Desktop | ✓ Desktop |
| CUPS | ✓ Often | ✓ Often | Optional | Optional | Optional |
| rpcbind | Optional | ✓ with NFS | ✓ with NFS | Optional | Optional |
| Local MTA | whoopsie | exim4 | postfix | postfix | postfix |
| Crash reporting | apport | ✗ | kdump | abrtd | ✗ |
| Web management | ✗ | ✗ | cockpit | cockpit | YaST |
| App runtime | snapd | ✗ | ✗ | flatpak | ✗ |
The CIS Benchmark Approach
The Center for Internet Security (CIS) publishes hardening benchmarks for every major Linux distro. These are the industry standard for server hardening and are referenced by PCI-DSS, SOC 2, and most enterprise security frameworks.
Every CIS Benchmark includes a section on “Services” with explicit recommendations for what to disable. The logic is consistent across distros:
- Level 1: Disable services with no legitimate use case on servers
- Level 2: More aggressive hardening for high-security environments
CIS benchmarks are freely available at cisecurity.org/cis-benchmarks. If you’re running servers in a regulated environment, CIS compliance tooling like CIS-CAT or OpenSCAP can automate the audit.
# OpenSCAP audit against CIS profile (RHEL/Rocky)sudo dnf install openscap-scanner scap-security-guidesudo oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_cis \ --results /tmp/oscap-report.xml \ /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml
# Ubuntu CIS auditsudo apt install libopenscap8sudo oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_cis_level1_server \ /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xmlWhat You Can Do Today
Step 1 — Inventory what’s running:
ss -tulnpsystemctl list-units --type=service --state=runningStep 2 — Run the distro-specific checks above and identify services you don’t recognize or don’t need.
Step 3 — Disable aggressively, test thoroughly:
# Disable a servicesudo systemctl disable --now <service>
# Verify it's stoppedsystemctl is-active <service>
# Verify ports are closedss -tulnp | grep <port>Step 4 — Make it permanent — on Ubuntu, use apt-mark hold to prevent reinstallation. On RHEL, use dnf mark or automation to enforce state.
Step 5 — Implement firewall rules as defense-in-depth — even if a service is running, a host firewall limits exposure:
# UFW (Ubuntu/Debian)sudo ufw default deny incomingsudo ufw allow sshsudo ufw enable
# firewalld (RHEL/Fedora/openSUSE)sudo firewall-cmd --set-default-zone=dropsudo firewall-cmd --add-service=ssh --permanentsudo firewall-cmd --reloadStep 6 — Review monthly — package updates and new installs can re-enable services. Add a cron job or integrate into your monitoring.
Related Posts
- Windows Event Logs for Security Analysts — The same “what’s running that you didn’t ask for” question applies to Windows; Event ID 7045 catches new service installs automatically
- Purple Teaming with Budget-Free Tools — Testing your own attack surface after hardening is the logical next step
- Threat Hunting with Wazuh — Wazuh can continuously monitor which services are running and alert on changes to your baseline
Sources
- NVD — CVE-2024-47176 (CUPS RCE, CVSS 9.9)
- NVD — CVE-2026-3888 (snapd privilege escalation)
- CIS Benchmarks — Center for Internet Security
- Ubuntu Server Guide — Security
- Red Hat — A Guide to Securing Red Hat Enterprise Linux
- OpenSCAP — Security Compliance Auditing
- BleepingComputer — CUPS vulnerabilities could be chained for RCE